Smart Sleep Mask Security Flaw Exposes Users' Brainwave Data on Open Server
By
minimalthinker
Pure flour-power. Hearty enough to carry you through lunch.
Summary
A security researcher discovered that a smart sleep mask purchased from Kickstarter was broadcasting users' brainwave data to an open MQTT broker without encryption. The mask, from a Chinese research company, features EEG brain monitoring, electrical muscle stimulation, and other functions. The researcher reverse-engineered the device and found it was sending sensitive biometric data including brainwave patterns, sleep stages, and facial muscle activity to a publicly accessible server, exposing users to potential privacy violations and even the ability to send electrical impulses to other users' faces.
Key quotes
· 4 pulledI was not expecting to end up with the ability to read strangers' brainwaves and send them electric impulses in their sleep.
The mask was from a small Chinese research company, very cool hardware -- EEG brain monitoring, electrical muscle stimulation around the eyes, vibration, heating, audio.
The app was still rough around the edges though and the mask kept disconnecting, so I asked Claude to try reverse-engineering the protocol.
I discovered the mask was broadcasting all its data to an open MQTT broker without any encryption or authentication.
You might also wanna read
Woman Alarmed After Therapist Uses AI to Record Private Therapy Sessions Without Consent
A 31-year-old woman, Molly Quinn, was alarmed when her trusted therapist began using an AI tool to record their private therapy sessions wit
trib.al·14h ago
Dark patterns in healthcare privacy forms trap patients into sharing health data despite opt-out options
The article investigates how healthcare providers use dark patterns in privacy forms to pressure patients into sharing their health data wit
bit.ly·1d ago
Pentagon Confirms Adversaries Using Commercial Phone Location Data to Target US Troops
The Pentagon was warned for nearly a decade that commercial location data from mobile phones could be exploited by adversaries to track US m
wired.com·1d ago
New browser-based side-channel attack uses SSD activity analysis to spy on users
Researchers have discovered a new browser-based side-channel attack that can spy on users by analyzing SSD (Solid State Drive) activity thro
arstechnica.com·1d ago
Dark patterns in healthcare privacy forms trick patients into sharing data despite opt-out options
The article investigates how healthcare providers use dark patterns in privacy forms to pressure patients into sharing their health data wit
themarkup.org·2d ago
New FROST technique lets websites track visitors by analyzing SSD activity
A new tracking technique called FROST (fingerprinting remotely using OPFS-based SSD timing) allows websites to spy on visitors by analyzing
23.social·4d ago